The harmful code recently found on Lenovo machines is now surfacing in other apps

As we previously reported, Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code. The appearance of the potentially harmful software was not only shocking to many, but also prompted researchers to look around...

"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.

"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.

Click to expand...

Superfish is bad enough, never mind letting other forms of self signing certificates reside in your OS. I've bought Lenovo for over 20 years now, and if I continue to do so, I'd format the drive (or install a new one) and do a clean install without any pre-loaded bloat.

"Self signing certificates" itself is not all that bad. It is a legit practice used by many, such as Anti-virus software and other security software. The real issue here is that the certificates are not done properly by Komodia by using _same key_ on all computer systems. The makes malicious attack practical. It is an issue easy to overlook though because to discover the vulnerability, one essentially have to intentionally crack the encryption to know the key, as done by the "security analyst" in this case.

So, it is a good tool gone bad due to sloppy origination by folks who should know better and were thought to be trustworthy. Sounds like it still needs policing. Is there a 'white list'? Do any of the security software folks (Symantec, Trend Micro, AVG, etc) deal with this? I found this KB at Microsoft ( http://support.microsoft.com/kb/931125 ) and I believe it applies, but I would really like to hear from an expert.

"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.

Click to expand...

Superfish is bad enough, never mind letting other forms of self signing certificates reside in your OS. I've bought Lenovo for over 20 years now, and if I continue to do so, I'd format the drive (or install a new one) and do a clean install without any pre-loaded bloat.

Click to expand...

You mean to say you've never done this before when buying any pre-built system? How strange. I thought it was a natural instinct for all us techie type folks to do a format and install a clean operating system before even unsealing the box the system comes shipped in. Not that you'd expect spyware to be pre installed by a reputable manufacturer, but at least to get rid of the tons of crapware & bloatware which is always a given.

"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.

Click to expand...

Superfish is bad enough, never mind letting other forms of self signing certificates reside in your OS. I've bought Lenovo for over 20 years now, and if I continue to do so, I'd format the drive (or install a new one) and do a clean install without any pre-loaded bloat.

Click to expand...

You mean to say you've never done this before when buying any pre-built system? How strange. I thought it was a natural instinct for all us techie type folks to do a format and install a clean operating system before even unsealing the box the system comes shipped in. Not that you'd expect spyware to be pre installed by a reputable manufacturer, but at least to get rid of the tons of crapware & bloatware which is always a given.

Click to expand...

Since most of us are builders and we never buy pre-built systems, we may have overlooked that good advice to others. However, my guess is that if you are buying pre-built that you would be uncomfortable about wiping out your hard drive and choose instead to rely on your supposedly reputable OEM.
Public square pillory is the only redress and a good white list for trusted CAs is necessary.

Since most of us are builders and we never buy pre-built systems, we may have overlooked that good advice to others. However, my guess is that if you are buying pre-built that you would be uncomfortable about wiping out your hard drive and choose instead to rely on your supposedly reputable OEM.
Public square pillory is the only redress and a good white list for trusted CAs is necessary.

Click to expand...

I agree most of us are builders but how many of us build laptops? My bad, I should been more clear in my post.

Buy wipe and clean install, getting hold of an ISO of windows is not hard, booting a DVD on a UEFI bios can be tricky though depending on the implementation.

Click to expand...

Why waste the DVD? I create a USB stick with rufus. Format GPT for UEFI bios and I believe anything windows 8 and newer should boot without disabling secure boot. I'm not familiar with how they are signed but I haven't needed to disable secure boot in awhile. The original iso stays in my collection on my external and the USB key gets reused for my next project.